Single Digital Password Credential Sought

NSTIC Aims to Improve Net's Trustworthiness as Commercial Center

he Obama administration Friday unveiled a federal government/private-sector strategy that it says would eventually let users obtain a single credential as a one-time digital password in the form of software on a mobile device, a smart card or token to transact business over the Internet.

With much fanfare at an event held at the headquarters of the U.S. Chamber of Commerce - symbolizing the initiative's government-business cooperation - the administration released the 52-page blueprint known as National Strategy for Trusted Identities in Cyberspace, or NSTIC (pronounced n-stick). The event featured speakers that included White House Cybersecurity Coordinator Howard Schmidt, Commerce Secretary Gary Locke and Sen. Barbara Mikulski, D-Md., as well as a panelist of private-sector IT security and privacy experts.

To emphasize the importance of the NSTIC strategy to the administration's economic and security policy, the White House issued a statement from President Obama, in which he said the commercial transformational strength of the Internet is being hampered by online fraud and identify theft that harms consumers and costs billions of dollars annually. "By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation. That's why this initiative is so important for our economy."

A fact sheet issued by the White House said 8.1 million American adults fell victim to identity theft or fraud in 2010 at a total cost of $37 billion.

Indeed, NSTIC stands at the intersection of national economic and security stability, a point alluded to by Schmidt, who reports to the president's chief national security and economic advisers. "As we move forward, our expectations in cyberspace (can) change from being worried about something to having a better level of confidence in everything we do," he said.

What NSTIC is not, as some critics have contended, is a strategy that will lead to a national identity card. "The strategy is not a national ID program; in fact, it's not an ID program at all," Leslie Harris, CEO of the Center for Democracy & Technology, writes in a blog posted on the Commerce Department website. "It is a call for leadership and innovation from private companies. The government's role must now be to advocate for its citizens and to support the development of a fair and useful system."

Schmidt and other administration officials emphasized that business must lead the development of the NSTIC, with the government serving as a facilitator.

Still, the vendor of one data security product said the government might need to regulate the industry of credential providers that could result from NSTIC. "Although NSTIC aspires to improve privacy, it stops short of recommending regulations to protect privacy," Aaron Titus, chief privacy officer at Indentity Finder, said in a statement. "The stakes are high, and if implemented improperly, an unregulated identity ecosystem could have a devastating impact on individual privacy."

The government said it's initiating two short-term actions to implement the NSTIC: Developing an implementation roadmap that identifies and assigns responsibility for actions that the government can perform itself or can facilitate private-sector efforts and establishing a national program office in the Commerce Department to coordinate the activities of the government and its private-sector partners.

"We're not looking for one solution; we're not looking for one database; we're not looking for that national ID component that we've talked about," Schmidt said. "We're looking for choice, whether it's a device, whether it's technology, whether it's an interoperability solution; we want choices. And this is thing that we can come together to make sure that it is cheaper, useable and more secure for our consumers and end users."

The NSTIC documents states it will likely take years to develop and achieve the vision of what it terms an identity ecosystem. To meet that goal, Mikulski said the budget that passed Congress this week contains $25 million for NSTIC.

What NSTIC Does

According to the White House:

Consumers will be able to choose among different credential providers. There will be no single, centralized database of information. Consumers can use their credential to prove their identity when they carry out sensitive transactions, like banking, and can stay anonymous when they are not. Consumers would not be forced to use the credentials to authenticate themselves.

Once the identity ecosystem is developed, a business, for example, would be able to avoid the cost of building its own login system and could more easily take its business online. Consumers would be able to connect with the new business with a credential they already have, thereby avoiding the hassle of creating another username and password while also being more secure. The business can take advantage of this interoperability to focus on its product or service instead of on managing users' accounts..

Consumers would have the option of proving their identity online, which would enable industry and government to move brick-and-mortar services to the online world and to create innovative new services.